Shib IdP v3 security & v3.3 release

Posted on Monday, 14 November 2016

A security advisory [1] has been released for the Shibboleth v3 Identity Provider that involves deployments using the Result Cache feature of the LDAP Data Connector - the issue could result in data associated with one user being substituted for another. Also, a new version of the Shibboleth IdP (v3.3.0) has been released which, amongst various improvements and new features, fixes this issue.

  • If you are not using the Result Cache feature, then your deployment is not affected.
  • If you are still running a Shibboleth v2 Identity Provider, then your deployment is not affected, but we remind you that the Shibboleth v2 Identity Provider is End Of Life as of July 31st 2016 and you should upgrade to supported software as soon as possible.

If your deployment is affected, then the advisory describes a temporary workaround, but upgrading to v3.3.0 is the recommended solution.

As such, *all* UK federation members with Shibboleth Identity Provider software deployments are encouraged to migrate to the new release, v3.3.0, as soon as possible. This release is now the current stable release of the Shibboleth IdP, and therefore all earlier releases are unsupported by the Shibboleth Project.

Please contact the UK federation service desk (service@ukfederation.org.uk) if you have any questions about this announcement or require help or guidance on upgrading your software.

[1] Security advisory - https://shibboleth.net/community/advisories/secadv_20161027.txt

[2] Shibboleth IdP v3.3 - https://wiki.shibboleth.net/confluence/display/IDP30/Home

Edited by MarkWilliams ? on 14 November 2016, at 04:03 PM